Cyberwar Rhetoric Is Scarier Than Threat of Foreign Attack

Reader Comments
Back to article

WOW That is the most irresponsible article that I have ever read. I have been around information warfare/intelligence community for over 40 years. I wrote my first cypher almost 50 years ago. My father was the guy who planned NATO communications in the 60's. One of my neighbors designed the Library of Congress search system. A couple of my best friends work on cyber attack/ malware issue for the intelligence agencies. Currently, I write AI systems for KM and code cracking. I used my research tool to find this article.
My friends working for the intels all use the word "terrified" when talking about malware. This is in private discussion over coffee. One of them recently got bit twice looking up asbestos removal. a) This stuff is very very real. b) it is going to get much worse. We are just seeing the very beginning of this problem.
I five years time you will come to see this as a completely insane.

Tom Folkes of VA 10:43AM April 06, 2010

We need to address the root of the problem here; the U.S. is vulnerable to attack due to the destruction of the U.S. technology work force.

Patrick Mnnroe of IL 2:02PM April 03, 2010

Ranum is touching on a key point and that point is essentially that it is terribly dangerous as well as ill advised to act in the absence of hard fact. In my post at http://fudsec.com/the-importance-of-being-earnest-in-a-global-e, I discuss in detail the danger of doing so and specifically cite the example of China and the now infamous 'Google' attack. Ours is a fully globalized existence as Marcus points out; the Chinese yuan is dependent upon the strength of the US dollar; our economic interdependence cannot be argued; it is fact. However we must be careful to not assume that there has been no escalation or maturity (formal or informal), with respect to cyber-military capability as part of the arsenal at the disposal of those nations who may or may not be friendly towards the United States.
The same can be said with respect to the advancement of cyber-espionage. Coming from the DoD Intelligence and Information Security community, it is my belief that what Ranum calls 'business as usual' differs greatly from formalized Foreign Intelligence and Security Services (FISS) type activity and therefore requires distinction. My colleague John Pirc and I are authoring a book for Syngress which deals with Cyber-Crime and Espionage (Fall of 2010) and would be happy to expand upon that with any parties interested in honest debate.
I enjoyed Marcus' post though I disagree with his view that militaristic use of cyber-weapons for warfare is overly hyped. I agree in that the issue of failure to verify and thusly substantiate the irrefutable nature of data is a problem (one which needs addressing quickly). Good job!

Will Gragido of IL 6:35PM March 31, 2010

I think we can all agree that the main problem with the cyber attacks from china is the financial burden to set up things like spam filters.
I get constant attacks on my sites. Nothing serious, but it is a burden to be installing intrusion detectors, etc.
And yes, china is "ahead". Not in capabulity, but certainly in volume of attacks. I am convinced that the state is funding this crap just to be a burden on western economies.
I haven't seen these pundits claim that our power grid is in danger.
Then again, I don't watch Fox news. If I do, I assume that the
"liberal " they choose is an idiot.
I'd disagree strongly on one point. Cyberespionage is cyber war. just cold war.
China has declared "cold" war on us.
Take it with a grain of salt. I have had several FBI briefings on what we need to do. They don't use the word China. But they won't correct you if you mention it.
I totally believe that china has annoying hackers on the payroll. 180,000 seems high. A couple of thousand perhaps.

CaveMole of NM 9:10AM March 31, 2010

Maybe before Mr Ottman replies again he should learn how the DoD refers to its Combatant Commands....EUCOM, AFRICOM and STRATCOM (at least he got the last one right).
And regarding STRATCOM, GEN Chilton is on record stating that there is no need for a new Cyber Command, the DoD already has one, and that is STRATCOM. He is correct in that statement, but obviously there is and have been some issues among the entire DoD regarding control of the network, and I personally do not believe that creating a new 'command' will change this. Each Combantant Commander and each Service Chief and in theory, each network administrator believes he/she 'owns' their piece of the network....and that is the problem. The DoDs security problems will not be solved until everyone can just get along and quit fighting over rice bowls.
I agree with Mr Ranum 100%

Susan Camoroda of CA 6:02PM March 30, 2010

Everyone knows that Marcus and I have had our differences in the past. :-) But he is a great writer and a great thinker. Let the record show that I agree with Marcus Ranum that the US is not at cyberwar with China, or any other nation. Cyber espionage is indeed business as usual and I believe justifies new investment in cyber defense. No miraculous new technology is needed, just the good application of tools and processes that Marcus has advocated for 20 years; and even contributed to developing.
That said, debating terminology is a losing battle unless you have a huge marketing budget. Look at the impossibility of getting people to re-adopt the original meaning of "liberal" as someone who believes in individual liberty! Words and their meaning get adopted through powerful human interactions. Just get over the fact that "cyber" is going to be the word that refers to networks and computers and the applications that run over them. Move on.
Is cyberwar possible? Have denial of service attacks coincided with military incursions across borders? Have electrical power grids failed due to network worms and software bugs? Have spurious route annoucnements taken down large chunks of the Internet? Have warring factions in Israel-Palistine, India-Pakistan, Russia-Chechnya/Serbia/Estonia/Lithuania/Ukraine/Georgia engaged in cyber mischief?
Yes, it is, they have, and they will continue.

Stiennon of MI 11:16AM March 30, 2010

Wow John,
What an ignorant and misguided statement. Can't believe they replaced Toby Weiss with someone like you. Guess you weren't handpicked for your brilliant security insight, but more for your sales and marketing background. You might try refraining on commenting on something that isn't your core competency in the future. An old saying some to mind: "Better to remain silent on some issues and thought to be a fool, than to open your mouth and remove all doubt".
Ken Pfeil

Ken Pfeil of NY 5:43AM March 30, 2010

Marcus Ranum has gotten into trouble before for illuminating issues as he does here, with what Zen adepts call a "beginner's eyes," seeing the real landscape instead of the dstorted one, draped in the gauze of self-interested spin. His insights in this essay are accurate and his credentials are impeccable. Instead of argument by citation (leadership of Europecom, Africacom and StratCom) it would be helpful to address and refute if possible his specific assertions. Where is he wrong, John Ottman? The Brass disagrees? Have you by any chance heard former Secretary McNamera's heartfelt grief before he died, when he looked back at the horrors of Viet Nam and said, "we were wrong?"

Richard Thieme of WI 11:35PM March 29, 2010

Do you seriously think that the leaders of Africacom know more about cyber defense and the analysis required than Marcus Ranum? Who are these leaders? Please post the credentials and bonafides of these impressive men. Being at a hearing on C-SPAN is not enough. Yes I have been there.
You missed the point of the article. The current attacks and risks are the same as they were 10 years ago. Everything was vulnerable then just as it is now.
Chris Wysopal
CTO Veracode, Inc

Chris Wysopal of MA 11:14PM March 29, 2010

Two weeks ago, the Senate Armed Services Committee heard from the leadership of Europecom, Africacom and StratCom. These impressive men stated in clear terms that our cyber defense is not adequate to protect the country. The hearing is available on C-SPAN and would likely would change the writers view that our vulnerabilities are overstated.
We should heed their warning and get serious about cyber defense.
John Ottman
President and CEO
Application Security, Inc.

John Ottman of CT 7:12PM March 29, 2010